Arbor Networks has an interesting article about a botnet they discovered that uses twitter as the command and control channel. The bot herder was quite ingenius to do this. He/she is able to control the bot net from nearly anywhere as long as he/she can connect to twitter. This method provides a very reliable communications channel with a lot of redundancy, more so than many IRC servers. Additionally, this is an example of hiding covert cmmunications in plain sight and turning a legit site bad, without actually hacking it.

Similar techniques were already used before Web 2.0, but I agree with you, that such methods may increase in future.Twitter and similar services offer anonymous registration, RSS feeds, live updates in real-time, communication through http(s) - things which are likely to be misused because they fit the bill perfectly.

Though I think that using base64 was not a good idea because it can easily be decrypted.

I would have thought this could be something that is fairly simple for Twitter to tear down once discovered. Continuing to stick with hosting c&c servers/DNS within 'bullet-proof hosting' centres would be a safer option for botherders I would have thought.

This herder's communication is fairly obvious, due to it looking like a hash. But imagine if he/she were to make the bot commands subversive. For example, he/se twits, "Went to the store" and the bot net nodes know that to be "get an update from serverX."

It wouldn't take a lot to do someting like this, it is essentially a simple word substitution and would make it very difficult to tell that botnet communication was happening. To take it a step further, the herder culd rotate the key words/phrases on a regular basis.

The reason I can see for doing this instead of having it hosted on your ISP account, etc. is that ISP's are getting better about shutting down hosted sites when law enforcement calls. Also, why post your C&C on an ISP known for hosting this type of stuff, when you can fly under the radar on a "legit" site. This method additionally provides availability of a true world class hosted service. Also, if the herder were to setup separate accounts for sections of the net, he could have those accounts follow his main account and post upate resposes.

I agree with you that most of the commands could be obfuscated, I was thinking more that once the twitter accounts get discovered (AV, malware analysis etc.) it should be simple for Twitter to close the accounts.

I suppose they could go down the conficker route of constantly changing account IDs, but this pattern should again be simple to spot (new account suddenly getting 100s of hits, etc.) and unlike conficker's DNS would only require the action of one company (Twitter) rather than lots of different DNS registrars in different countries.

Reading through some of the research/articles that have been written one aspect that I hadn't appreciated is that it will make network admins' jobs harder as there could already be hundreds or thousands of users already legitimately communicating with the Twitter servers, so spotting the traffic could be more difficult than the old days of looking for IRC traffic or traffic to .ru/.cn.